Safeguards Rule to Secure Customer Data
Charles Carreon
JUNE 2008 NOTICE: This section of the Primer is under revision. There have been many developments in the field of information security law that require treatment here, including State laws to protect from identity theft. END NOTICE.
The FTC recently adopted a rule that requires financial institutions under FTC jurisdiction to “secure” customer records and information. The recently-adopted rule is posted at www.FTC.gov/privacy/glbact. Section 313.3(k) defines financial institutions specifically, and includes “check-cashing businesses, data processors, mortgage brokers, non-bank lenders, personal property or real estate appraisers, small tax preparers, courier services, and retailers that issue credit cards to consumers.” If you are a financial services provider, you should obtain legal advice on how to comply with the Safeguards Rule, which is intended to cut down on identity theft.
The Safeguards Rule requires financial institutions to “develop a written information security plan that describes their program to protect customer information.” The plan must designate employees to coordinate the safeguards, identity and assess risks to customer information, evaluate the effectiveness of current safeguards, design and implement a safeguards program, regularly monitor and test it, select appropriate service providers and contract to implement safeguards, and evaluate the program in light of relevant circumstances, including changes in the firm's business arrangement or operations. The plan must address three areas of information security: employee management and training, information systems, and managing system failures. The Safeguards Rule provides detailed suggestions with respect to all of these matters, including how to manage locked files, issue and revoke passwords, store and dispose of customer information, and respond to virus attacks and hacking.
For some of you, a business opportunity may be presented here, if you could help prepare these required plans. Because the Safeguards Rule seeks to protect customer data handled by many companies other than financial institutions, it seems likely that the provisions of the rule will eventually be applied to virtually any business that stores large amounts of financial data. I predict this will eventually sweep in anyone who uses merchant accounts for recurring billing.
JUNE 2008 NOTICE: This section of the Primer is under revision. There have been many developments in the field of information security law that require treatment here, including State laws to protect from identity theft. END NOTICE.
The FTC recently adopted a rule that requires financial institutions under FTC jurisdiction to “secure” customer records and information. The recently-adopted rule is posted at www.FTC.gov/privacy/glbact. Section 313.3(k) defines financial institutions specifically, and includes “check-cashing businesses, data processors, mortgage brokers, non-bank lenders, personal property or real estate appraisers, small tax preparers, courier services, and retailers that issue credit cards to consumers.” If you are a financial services provider, you should obtain legal advice on how to comply with the Safeguards Rule, which is intended to cut down on identity theft.
The Safeguards Rule requires financial institutions to “develop a written information security plan that describes their program to protect customer information.” The plan must designate employees to coordinate the safeguards, identity and assess risks to customer information, evaluate the effectiveness of current safeguards, design and implement a safeguards program, regularly monitor and test it, select appropriate service providers and contract to implement safeguards, and evaluate the program in light of relevant circumstances, including changes in the firm's business arrangement or operations. The plan must address three areas of information security: employee management and training, information systems, and managing system failures. The Safeguards Rule provides detailed suggestions with respect to all of these matters, including how to manage locked files, issue and revoke passwords, store and dispose of customer information, and respond to virus attacks and hacking.
For some of you, a business opportunity may be presented here, if you could help prepare these required plans. Because the Safeguards Rule seeks to protect customer data handled by many companies other than financial institutions, it seems likely that the provisions of the rule will eventually be applied to virtually any business that stores large amounts of financial data. I predict this will eventually sweep in anyone who uses merchant accounts for recurring billing.